Inside Bay Area – New security glitch found in Diebold system.
Elections officials in several states are scrambling to understand and limit the risk from a “dangerous” security hole found in Diebold Election Systems Inc.’s ATM-like touch-screen voting machines.
The hole is considered more worrisome than most security problems discovered on modern voting machines, such as weak encryption, easily pickable locks and use of the same, weak password nationwide.
Armed with a little basic knowledge of Diebold voting systems and a standard component available at any computer store, someone with a minute or two of access to a Diebold touch screen could load virtually any software into the machine and disable it, redistribute votes or alter its performance in myriad ways.
Are we paranoid enough yet?
Update: Ed Felten and Avi Rubin have links, details, and an assessment. It’s bad.
Everytime I read about Diebold, I get a chill. One Nationwide Password???
Does this mean that a voting machine in storage today, when perhaps security is not at its highest level, might be directed by malicious code to vote in a particular way, and that the results would not surface until the election in November? Is there some equivalent of a virus program that should be run on voting machines shortly before each use of the machine?
Remember, Diebold’s roots are in the Automatic Teller Machine industry, which it used to dominate. Diebold, by necessity, has (or had) a rock solid core of technical competence in computer security.
Therefore, given the extensive security flaws in the design of their voting machines it is reasonable to conclude that “tamper-proof” was *not* one of the design goals of these machines.
The Diebold machine could be modified not only to change election results, but on detecting the end of the election, to restore the original software, and erase itself otherwise, thus requiring extremely advanced forensics to determine that the machine had previously been compromised. The depth that this could happen would depend somewhat on the details of Windows CE. However, whatever Windows CE says “on the box” there would also might be exploits in CE useful for this sort of deception.